sesearch: -ep option searches for exact matches not supersets

[cgzones]

The blog post https://dburgener.github.io/2022/03/16/pwnkit-and-selinux.html mentions the -ep option of sesearch(1):

So lets see if we can find a type to set this to that httpd_t has both write and execute permissions on:

  sesearch -A -s httpd_t -p write,execute -ep

No results. It’s good practice to avoid granting the write and execute permission at the same time where possible to avoid exactly this sort of exploit, so this is nice to see.

But the option (based on version 4.4.0 and master) seems to not report rules where all the specified permissions are allowed, but all rules where the exact specified rules (and no more) are allowed.

Example based on current Reference Policy:

$ sesearch -A -s xguest_t -p write,execute policy.33 | grep -w write | grep -w execute
allow xguest_t user_bin_t:file { append create execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink write };
allow xguest_t user_home_t:file { append create entrypoint execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink watch watch_mount watch_reads watch_sb watch_with_perm write };
allow xguest_t user_tmp_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink write };

$ sesearch -A -s xguest_t -p write,execute -ep policy.33

$ sesearch -A -s xguest_t -p append,create,execute,execute_no_trans,getattr,ioctl,link,lock,map,open,read,relabelfrom,relabelto,rename,setattr,unlink,write -ep policy.33
allow xguest_t user_bin_t:file { append create execute execute_no_trans getattr ioctl link lock map open read relabelfrom relabelto rename setattr unlink write };

Maybe the behavior of -ep should change or a new option should be introduced to match for supersets.

[cgzones]

/cc @dburgener

[dburgener]

Interesting. And it looks like this does actually impact the conclusion in my blog post, since using your grep approach does in fact yield a valid rule:

$ sesearch -A -s httpd_t -p write,execute | grep -w write | grep -w execute
allow httpd_t hugetlbfs_t:file { append execute execute_no_trans getattr ioctl lock map open read write };

(Although the lack of create is probably a problem for a practical exploit using this path)

I feel like the behavior I assumed in my post matches what's written in the man page: "A matching rule must have all specified permissions, instead of matching any of the specified permission." rather than what it seems the actual behavior is.

On the other hand, sesearch --help describes the behavior as:

"Match permission set exactly instead of matching any listed permission.".

This is similar to the behavior described in the docstring for TERuleQuery.

My guess based on the "ep" name, is that the permission equality is the intended behavior here, in which case the man page should probably be updated to match the text of the others. I'm happy to submit a PR for that if that's the way we want to go.

I would find the behavior I thought I was getting with "ep" valuable though, perhaps as a new argument.

[pebenito]

Correct, -ep is permission set equaltiy.

[dburgener]

Digging into this a little bit more, if I've followed the set logic, I think the "perms_subset" flag in _match_perms() provides the behavior I thought I was getting, but it looks like it's only available through apol as a front end, and not exposed in sesearch. I'll see if I can make a PR this afternoon to expose that logic via sesearch if that's something you'd be interested in taking @pebenito?

[dburgener]

Made PR #71 to expose perms_subset via sesearch. It appears to produce the desired behavior for my use case:

$ ./sesearch -A -s httpd_t -p write,execute -sp
allow httpd_t hugetlbfs_t:file { append execute execute_no_trans getattr ioctl lock map open read write };